Relin's standard Data Processing Agreement.

1. Roles

The customer is the data controller for personal data contained in webhook events, account records, workspace members, recipients, and portal sessions. Relin is the data processor for that data and processes it only under the customer's documented instructions, which include the customer's configuration of sources, destinations, retention windows, alert channels, and portal sessions.

2. Scope of processing

Subject matter: receiving, verifying, storing, delivering, retrying, and replaying webhook events; operating the workspace dashboard, API, MCP server, and billing integration.

Duration: for as long as the customer maintains an active workspace, plus the retention windows the customer has configured.

Categories of data: account identifiers, emails, authentication material, workspace settings, source and destination configuration, webhook event metadata and payloads, delivery attempts, audit records, billing status.

Categories of data subjects: workspace members; end users and systems whose webhooks pass through the service; recipients configured for dispatch.

3. Subprocessors

Relin uses the subprocessors listed at /subprocessors. Customer authorizes Relin's use of those subprocessors. Relin binds each subprocessor to data-protection obligations materially equivalent to this agreement and remains liable for each subprocessor's performance of those obligations. Relin will provide customers with reasonable advance notice of material changes to its subprocessor list.

4. Security

Relin implements technical and organizational measures appropriate to the risks of processing, including access controls, encrypted transport, encryption of sensitive material at rest where supported, audit records, and segregation of environments. Relin's security measures inherit from and are bounded by the capabilities of its infrastructure subprocessor. Further detail is available under NDA through legal@relin.app.

5. Confidentiality

Relin ensures that personnel with access to personal data are bound by confidentiality obligations and are trained on those obligations.

6. Data subject rights

Taking into account the nature of the processing, Relin assists the customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the customer's obligations to respond to data-subject requests. The customer can retrieve or delete event data, payloads, and workspace records through the workspace dashboard and API.

7. Breach notification

Relin will notify the customer without undue delay after becoming aware of a personal-data breach affecting the customer's data, providing the information the customer reasonably needs to fulfill its own breach-notification obligations.

8. International transfers

Where Relin transfers personal data from the European Economic Area, United Kingdom, or Switzerland to a country without an adequacy decision, Relin relies on Standard Contractual Clauses or an equivalent mechanism provided by its subprocessor, and implements supplementary measures as appropriate.

9. Audits

Relin will make available to the customer information necessary to demonstrate compliance with this agreement, and will allow audits by the customer or an auditor mandated by the customer, subject to reasonable notice, scope, and confidentiality obligations, and at the customer's expense. Relin may satisfy this obligation by providing up-to-date third-party attestation reports where available.

10. Return and deletion

At the customer's choice, on termination of the service, Relin will delete or return all customer personal data unless applicable law requires storage. Customers can trigger deletion directly from the workspace dashboard.

Contact

For a counter-signed DPA, questions about this agreement, or to exercise rights under it, contact legal@relin.app.